Security audit

High-Value Extractors

Security checks across malware telemetry and agentic risk

Overview

This is a small paid API skill for extracting structured data from user-provided web pages, with costs disclosed and no local code or persistence shown.

Use this with payment controls because each call can spend USDC. Do not submit private, internal, or personal-data-heavy URLs unless you trust the service operator and have authorization to process that data. Review any generated FastAPI code before running or deploying it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill accepts arbitrary third-party URLs and explicitly extracts company details, emails, and phone numbers, but it provides no privacy notice or data-handling warning. This can lead users to submit pages containing personal or regulated contact data without understanding collection, processing, or compliance implications, increasing privacy and legal risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal